The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Integrating Cybersecurity in UX design

The digital landscape has ensured a wider range of businesses has access to a truly global marketplace. On one hand, this helps bolster a thriving entrepreneurial ecosystem. However, it also means there is a significant amount of competition. If your company’s website or mobile application doesn’t provide a stellar user experience (UX), consumers are able and willing to go elsewhere.

Yet, in the online environment, UX is not your only consideration. There are various threats your business and consumers face from cyber criminals. Therefore, when developing your online tools, you need to adopt effective protections. Unfortunately, many businesses struggle with implementing strong security that doesn’t also disrupt the UX.

Your best approach here is usually to integrate cybersecurity with UX design. So, let’s explore why and how you can achieve this.

How are UX and Cybersecurity related?

One of the mistakes too many businesses make is assuming that UX and cybersecurity are separate aspects of the digital infrastructure. They can certainly have independent intentions to an extent with different goals and actions to achieve these goals. Yet, understanding how they are closely related is the first step to effective integration.

In some ways one can’t — or, at least, shouldn’t — exist without the other. A good example of this is the application of web design in high-stakes sectors, like telehealth care. There are two core types of telehealth services; asynchronous care and synchronous (live) care. While there is a difference here in how patients interact with the medical professional, both types involve the collection and storage of sensitive data. It’s certainly important from a UX perspective to make both asynchronous and live processes as simple and convenient as possible for patients. Yet, this simplicity shouldn’t sacrifice the security of the data.

Clear and strong security protocols give consumers confidence in the system and the company they’re interacting with. This applies to not just healthcare industries but also eCommerce, education, and supply chain sectors, among others. Similarly, consumers may be more likely to adopt more secure behaviors if they can see how it feeds into the convenience and enjoyment of their experience. This means that the UX development process must involve security considerations from the ground up, rather than as an afterthought.

How can you plan effectively?

As with any project, planning is essential to the successful integration of cybersecurity and UX design. An improvisatory approach that involves tacking security or UX elements onto your site or app doesn’t result in a strong development. Wherever possible, your best route is to bring both the UX departments and cybersecurity professionals together in the planning process from the outset. Each department will have insights into one another’s challenges that benefit the project as a whole.

Another key part of your planning process is researching and analyzing your users’ behavior concerning the types of online tools you’re developing. Work with business analytics professionals to understand in what ways security factors into your target demographic’s preferred online experiences. Review what the common security behavior challenges are with your consumers and what experiential elements prevent them from implementing safe actions. This then enables you to create the most apt UX and security arrangements to meet your consumers’ needs.

Importantly, your team needs to plan with balance in mind. They need to make certain that as far as possible, security doesn’t interfere with UX and vice versa. For instance, you may be able to design multiple layers of encryption that require minimal user interaction to activate. Whatever you approach, you must build thorough testing into the planning process. This shouldn’t just be to review efficacy and strength, but also to establish whether there are imbalances that need to be corrected.

What tools can you use?

You should bear in mind that integrating UX and cybersecurity isn’t just a case of developing a unique site or app. Finding this balance is a challenge that businesses have been seeking to address throughout the rise of our digital landscape. This means that there are some existing tools that you can incorporate into your more tailored approach.

Artificial intelligence (AI) is increasingly popular here. Even small businesses can access AI tools that take care of many elements of a website and mobile application development. These tools not only save companies time in coding, but they can also make more secure sites by mitigating the potential for human error. Indeed, AI-driven security monitoring software can scan networks in real-time, responding to threats quickly and effectively without disturbing the user experience.

Aside from AI, adopting a single sign-in, multi-factor authentication is a common tool to adopt. This approach provides maximum security by requiring users to authenticate using more than one device. However, it's important not to disrupt the user flow by ensuring this is a one-time action that allows them to access various aspects of your online space. You should require further authentication only when they navigate away from the site, utilize a new device, or attempt purchases over a certain threshold.

Conclusion

Integrating UX and cybersecurity is not always easy. It’s important to understand that these elements need to coexist to achieve the most positive outcomes. From here, thorough planning that involves collaboration from both security and UX professionals is key to achieving a good balance. Remember that tools like AI and multi-factor authentication can bolster your ability to create a safe service that users enjoy interacting with.

The post Integrating Cybersecurity in UX design appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Mobile security refers to the technologies and processes that are used to protect mobile devices from malicious attacks, data breaches, and other forms of cybercrime. It also includes measures taken to safeguard personal information stored on these devices, as well as protecting them from physical damage or theft. Mobile security is becoming increasingly important due to the rapid proliferation of smartphones and tablets being used for business purposes around the world.

Businesses need to take steps to ensure their data remains secure when accessing company networks via mobile devices, including implementing a few key measures. Below are ten ways B2B companies can do better mobile security.

1. Use a secure email provider

A secure domain email address is one of the most important ways to ensure that company emails and other sensitive data remain safe. Email providers such as Google, Microsoft, Zoho, and Postale offer secure domain email addresses which encrypt all emails sent and received in transit. This makes it more difficult for hackers to gain access to confidential information or launch attacks on vulnerable systems.

Using a secure email provider is essential for any organization looking to maximize its data protection efforts. By taking advantage of these services, businesses can rest assured knowing their emails are secure and protected from malicious actors.

2. Implement strong authentication

Strong authentication refers to the use of two or more forms of authentication to authenticate a user's identity. This could include using a one-time password for each login, biometric factors such as fingerprints, or utilizing an encrypted token. Strong authentication ensures that only authorized users can access company networks and confidential data.

Having strong authentication measures in place is an essential step in protecting data, as it helps to prevent unauthorized access and keeps sensitive information secure.

3. Install mobile security software

Mobile security software (also known as mobile device management or MDM) can help protect devices from malicious attacks. Mobile security software can be installed on all company-owned devices, providing a layer of protection by scanning for and blocking malicious applications. It can also offer additional layers of protection such as remote wiping capability, encryption, and the ability to remotely lock lost or stolen devices.

4. Enforce use policies

By having clear use policies in place, businesses can ensure their employees understand the importance of mobile security and that they are adhering to the established rules. These policies should include restrictions on downloading or installing unapproved apps, accessing unknown or suspicious websites, or sharing confidential information with unauthorized personnel.

Enforcing use policies is essential for keeping company networks and data secure. By ensuring that all employees abide by the same set of rules, businesses can greatly reduce their risk of a data breach or other malicious attack.

5. Utilize cloud storage

Cloud storage provides an effective way to store business data securely off-site. Data stored in the cloud is encrypted and kept safe from physical damage or theft. It also eliminates the need for large servers and other physical infrastructure, reducing both costs and the potential risk of data breaches. Additionally, cloud storage allows employees to access their data from any device, anytime and anywhere.

Utilizing cloud storage is an efficient way to keep sensitive information secure while still providing easy access for authorized users.

6. Use virtual private networks (VPNs)

A virtual private network (VPN) provides an extra layer of security by encrypting all traffic between two devices. This means that even if an unauthorized user were to intercept the data transmitted over the connection, they would be unable to read it due to the encryption. VPNs are especially useful for businesses that need to securely access company networks when using public Wi-Fi or other shared networks.

Using a VPN is an important step in protecting data from malicious attacks, as it ensures that all traffic is securely encrypted and less susceptible to being accessed by unauthorized parties.

7. Educate employees about the latest cybersecurity threats

Even with good policies and procedures in place, your employees still represent a vulnerable point in your data security. That’s why it’s important to regularly educate them about the latest cybersecurity threats and how they can avoid falling victim to them. This could include information on phishing scams, malware infections, mobile device security, and more.

By providing employees with the knowledge needed to recognize potential threats and take the necessary measures to protect themselves and their organization from attackers, businesses can greatly reduce their risk of suffering a data breach or other malicious attack.

8. Use two-factor authentication

Two-factor authentication (2FA) is an extra layer of security that requires users to provide two pieces of evidence when logging into an account or system. Typically, this consists of something that you know (such as a password), and something that you have (such as a mobile device). By requiring two different pieces of evidence, it makes it much more difficult for unauthorized parties to gain access to confidential data.

By implementing 2FA on all accounts and systems, businesses can greatly reduce their risk of suffering a data breach or other malicious attack. Doing so will ensure that only authorized users are able to access sensitive information, which helps keep confidential data always secure.

9. Monitor user activity

User activity monitoring is an important step in protecting your organization from malicious actors. By tracking user activities such as logins, downloads, file transfers and other system changes, businesses can detect suspicious activity in real-time and respond quickly to mitigate any potential damage.

By monitoring user activity on a regular basis, businesses can greatly reduce their risk of suffering a data breach or other malicious attack. Doing so will help ensure that all systems always remain secure and confidential information remains protected from unauthorized access.

10. Regularly back up your data

Backing up your data on a regular basis is an important step in protecting it from malicious actors. By having multiple copies of your files stored in separate locations, you can recover them quickly in the event of a data loss or system failure. This ensures that sensitive data remains safe and secure even if one copy is compromised by an attacker.

Using an automated backup system is a great way to ensure that your data remains protected and secure. Your IT department can set up an automated backup process that regularly creates backups of all company files on an external drive or in the cloud, ensuring that your data will always be available when needed.

Conclusion

By following these ten tips, B2B companies can greatly reduce their risk of suffering a data breach or other malicious attack. By taking the necessary steps to maximize their data protection efforts, businesses can ensure that confidential information remains secure at all times.

The post 10 Ways B2B companies can improve mobile security appeared first on Cybersecurity Insiders.

In 1999, the United States began to shape its QIS strategy. The first document on file is a Scientific and Technical Report (STR) entitled: “Quantum Information Science. An Emerging Field of Interdisciplinary Research and Education in Science and Engineering.” This is the first report of an assortment of publications that help establish the US QIS strategy. To date, 55 publications contribute to the overall US strategy to advance QIS and quantum applications. These documents consist of Scientific and Technical Reports (STR), Strategy Documents, Event Summaries, and the National Quantum Initiative Supplement to the President’s Budget.

To begin, STRs are fundamental sources of scientific and technical information derived from research projects sponsored by the Department of Energy. On an annual basis, the US has released roughly 3.5 QIS reports (on average) since 1999; consequently, these publications make up 65% of the strategic documents related to QIS. Scientific and Technical Reports describe processes, progress, the results of R&D or other scientific and technological work. Additionally, recommendations or conclusions of research, original hypotheses, approaches used, and findings are also included. Scientific and Technical Reports have proven to be highly beneficial to researchers. STRs regularly include more comprehensive or detailed information than scholarly papers or presentations since STRs include experimental designs and technical diagrams.

Continuing, released in 2009, the National Science and Technology Council (NSTC) released the first QIS Strategy Document entitled “A Federal Vision for Quantum Information Science.” NSTC has the aim of articulating clear goals and a vision for federal service and technology investments, focusing on information technology, and strengthening fundamental research. This interagency document set conditions to coordinate federal efforts in QIS and other related fields. Furthermore, the strategy documents establish clear national goals for service and technology investments in information technologies and health research industries.

Additionally, in 2018, a Summary of the 2018 White House Summit on Advancing American Leadership in Quantum Information Science was published as an Event Summary. Event Summaries are published by the National Quantum Coordination Office (NSQO). Event summaries provide an executive summary of key engagements related to QIS. With six summaries published to date, the current theme revolves around events that promote leadership, education, outreach, and recruitment in the field of QIS. The summaries prove to be very advantageous since they provide a read-out document that can be archived to capture event background, discission topics, key takeaways, agency funding/research award announcements, next steps, and an event conclusion.

Furthermore, the National Quantum Initiative (NQI) Act, which became law in 2018, ensures the annual release of the National Quantum Initiative Supplement to the President’s Budget. This is the final document to reference which contributes to the US QIS strategy. The supplement details the current year’s efforts, progress, and budget for the National Quantum Initiative Program, along with, projecting a budget for the next fiscal year. The supplement also provides an analysis of the progress made toward achieving the goals and priorities of the NSTC Subcommittee on Quantum Information Science (SCQIS).

Since 1999, the US began charting a way to address QIS. Vision, strategy, R&D, agency coordination, funding, and QIS promotion efforts have been consistent. The strategy has also accelerated in the last five years. As advances in Quantum Science materialize, the US continues to make strides in coordinating across the Federal government, academic institutions, and industry. 21 different agencies in addition to Nobel Laureates and international partners are invested in the US strategy to address all aspects of Quantum Science. With certainty, there is a race to clearly understand all aspects of QIS and the impact it can have on our society. The US displays an inclusive, wide reaching, firm, and consistently accelerated strategy due to developments in QIS. US strategy and efforts toward QIS places the US on a path to lead the world in QIS. Simply put, the US strategy encompasses a whole of government approach, along with, collaborating with industry, academic institutions, and allies worldwide to bring to life the remarkable potential in how QIS can change the way citizens live, work, and understand the world.

“As new technologies continue to evolve, we’ll work together with our democratic partners to ensure that new advances in areas from biotechnology to quantum computing, 5G, artificial intelligence, and more are used to lift people up, to solve problems, and advance human freedom.” – President Biden

 

SECDEF Executive Fellowship Homepage

US Army Homepage

Army War College Homepage

Find Your Army Career

The post Guiding publications for US strategy on Quantum Information Science (QIS) appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

According to the Open Web Application Security Project (OWASP, 2019), broken object-level authorization (BOLA) is the most significant vulnerability confronting modern application programming interfaces (APIs). It can be exciting to pursue innovations in the API area, but while doing so, programmers must ensure that they are adequately attentive to security concerns and that they develop protocols that can address such concerns. This article will describe the problem of BOLA and its consequences, and then it will present potential actions that can be taken to solve the problem.

The problem

​OWASP (2019) indicates the following regarding BOLA: “Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request” (para. 1). For example, a hacker may access information regarding how various shops make requests to an e-commerce platform. The hacker may then observe that a certain pattern exists in the codes for these requests. If the hacker can gain access to the codes and has the authorization to manipulate them, then they could establish a different endpoint in the code and thereby redirect all the data to themselves.

The exploitation of BOLA vulnerabilities is very common because, without the implementation of an authorization protocol, APIs essentially have no protection whatsoever against hackers. To attack this kind of APIs, the hacker only needs the capability to access request code systems and intercept data by manipulating the codes, which can be done rather easily by anyone who has the requisite skills and resources (Viriya & Muliono, 2021). APIs that do not have security measures in place are thus simply hoping that no one will know how to conduct such an attack or have the desire to do so. Once a willing hacker enters the picture, however, the APIs would have no actual protections to stop the hacker from gaining access to the system and all the data contained within it and transmitted across it.

The consequences

​BOLA attacks have significant consequences in terms of data security: “Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access can also lead to full account takeover” (OWASP, 2019, para. 3). In short, BOLA attacks produce data breaches. Stories about data breaches are all too common in the news, with a very recent one involving a healthcare organization in Texas (Marfin, 2022). While not all data breaches are the result of BOLA attacks, many of them are, given that BOLA is a very common vulnerability in APIs. The specific consequences of a successful BOLA attack, as well as the magnitude of those consequences, would depend on the target of the attack.

For example, if the target is a healthcare organization, then the data breach could lead to hackers gaining access to patients' private health insurance. If the target is a bank, then the hackers would likely be able to access customers’ social security numbers. If the target is an e-commerce website, then data regarding customers’ credit card numbers and home addresses would be compromised. In all cases, the central consequence of a BOLA attack is that hackers can gain access to personal information due to a lack of adequate security measures within the APIs in question.

The solution

​The solution to BOLA is for programmers to implement authorization protocols for accessing any data or codes within an API. As OWASP (2019) indicates, prevention of BOLA will require the implementation of “an authorization mechanism to check if the logged-in user has access to perform the requested action on the record in every function that uses input from the client to access a record in the database” (para. 9).

BOLA vulnerability essentially has to do with APIs and assuming that if a user has access to the information required to make a request, then they must automatically be authorized to make that request. This assumption is obviously fallacious since hackers can gain access to the information and then use it to manipulate the API even though they have no actual authorization to do so.

Therefore, preventing BOLA vulnerability requires a system that not only responds to the user’s inputs but is also able to verify whether the user is authorized to perform the desired actions (Blokdyk, 2022). For example, the system may require an external password that a hacker would not be able to find simply by perusing data and information within the API itself.

The solution to BOLA, then, is straightforward one. APIs currently focus on object IDs for authenticating requests, which is altogether inadequate from a data security standpoint. To prevent BOLA, APIs must track the users themselves and focus on ensuring that users are properly authorized to make requests, take actions, and provide inputs within the system. The BOLA vulnerability is based entirely on the fact that programmers often fail to implement such a protocol. Such implementation would eliminate the entirety of the vulnerability insofar as hackers will then not be able to access and manipulate target APIs.

Perhaps BOLA is thus a case study in humility. As programmers explore new frontiers of modern APIs, they must also ensure that they do not neglect the basics. The implementation of user authorization protocols to prevent BOLA vulnerability must be understood as a foundational element for any sound API, and doing so will address a key OWASP priority. 

References

Blokdyk, G. (2022). User authentication and authorization. 5STARCooks.

Marfin, C. (2022, July 12). Tenet Healthcare faces lawsuit after data breach affects 1.2 million ​patients. Dallas Morning News. ​​https://www.dallasnews.com/news/courts/2022/07/12/tenet-healthcare-faces-lawsuit-%E2%80%8Bafter-data-breach-affects-12-million-patients/

Open Web Application Security Project. (2019). API2:2019 broken object level authorization. ​GitHub. https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa1-broken-​object-level-authorization.md

Viriya, A., & Muliono, Y. (2021). Peeking and testing broken object level authorization ​vulnerability onto e-commerce and e-banking mobile applications. Procedia Computer ​Science, 179, 962-965.

The post Broken Object Level Authorization: API security’s worst enemy appeared first on Cybersecurity Insiders.

Ransomware is a form of malicious software (malware) that restricts access to computer files, systems, or networks until a ransom is paid. In essence, an offender creates or purchases ransomware, then uses it to infect the target system. Ransomware is distributed in several ways including, but not limited to, malicious website links, infected USB drives, and phishing emails. Once infected, the offender encrypts the device and demands payment for the decryption key. Figure 1 provides a simplistic overview of the ransomware timeline.

Figure 1. Ransomware timeline.

how ransomware works

The earliest recorded case of ransomware was the AIDS Trojan, which was released in the late 1980s. Now, in 2023, ransomware is considered the greatest cybersecurity threat due to the frequency and severity of attacks. In 2021, the Internet Crimes Complaint Center received over 3,000 ransomware reports totaling $49.2 million in losses. These attacks are especially problematic from a national security perspective since hackers aggressively target critical infrastructure such as the healthcare industry, energy sector, and government institutions.

If ransomware has been around for over 40 years, why is it now increasing in popularity? We argue the increase in ransomware attacks can be attributed to the availability of ransomware sold on darknet markets.

Darknet markets

Darknet markets provide a platform for cyber-criminals to buy, sell, and trade illicit goods and services. In a study funded by the Department of Homeland Security, Howell and Maimon found darknet markets generate millions of dollars in revenue selling stolen data products including the malicious software used to infect devices and steal personal identifying information. The University of South Florida’s (USF) Cybercrime Interdisciplinary Behavioral Research (CIBR) sought to expand upon this research. To do this, we extracted cyber-intelligence from darknet markets to provide a threat assessment of ransomware distribution. This report presents an overview of the key findings and the corresponding implications.

Threat assessment

While drugs remain the hottest commodity on darknet markets, our threat intelligence team observed a rise in ransomware (and other hacking services). 

The study was conducted from November 2022-February 2023. We began by searching Tor for darknet markets advertising illicit products. In total, we identified 50 active markets: this is more than all prior studies. We then searched for vendors advertising ransomware across these markets, identifying 41 vendors actively selling ransomware products. The number of markets and vendors highlight the availability of ransomware and ease of access. Interestingly, we find more markets than vendors. Ransomware vendors advertise their products on multiple illicit markets, which increases vendor revenue and market resiliency. If one market is taken offline (by law enforcement or hackers), customers can shop with the same vendor across multiple store fronts.

The 41 identified vendors advertised 98 unique ransomware products. This too shows the accessibility of various forms of ransomware readily available for purchase. We extracted the product description, price, and transaction information into a structured database file for analysis. In total, we identified 504 successful transactions (within a 4-month period) with prices ranging from $1-$470. On average, ransomware sold on the darknet for $56 with the best-selling product being purchased on 62 different occasions at $14 per sale. A screenshot of the best-selling ransomware advertisement is presented in Figure 2. This product is listed as fully customizable, allowing the customer to choose their target and ransom amount. These findings illustrate that ransomware sold on the darknet is both affordable and user-friendly.

Figure 2. Ransomware advertisement found on a darknet market.

ransomware advertisement on dark web

Purchases on the darknet are facilitated using cryptocurrencies that anonymize the transaction and ensure both the buyer and seller's protection. Bitcoin is the favored method of payment, but some vendors also accept DOGE, Bitcoin Cash, Litecoin, and Dash.

Our final goal was to understand which words are associated with ransomware distribution. Using the product description, we created a word cloud (presented in Figure 3) to depict the most common words used when selling ransomware. The most commonly used words include ransomware, encrypt, systems, urgency, decryption, victims, and software. Knowing the words associated with ransomware distribution allows for the development of machine learning algorithms capable of detecting and preventing illicit transactions.

Figure 3. The most used words in a ransomware advertisement.

ransomware ad word cloud

Implications

The security concerns posed by ransomware and darknet markets have been independently identified by researchers, government agencies, and cybersecurity companies. We expand the discussion by assessing the synergetic threat posed by ransomware distributed via darknet markets. Our findings suggest the uptick in ransomware may result from product availability, affordability, and ease of use. Cyber-criminals no longer need the advanced technical skills required to develop unique forms of ransomware. Instead, they can simply purchase customizable ransomware on the darknet and launch an attack against their victims.

Acknowledgements

            This research would not be possible without the students and faculty associated with CIBR lab. Specifically, we thank Taylor Fisher, Kiley Wong-Li, Mohamed Mostafa Abdelghany Mostafa Dawood, and Sterling Michel for their continued involvement on the cyber-intelligence team. For more cutting-edge cybersecurity research, follow Dr. C. Jordan Howell, Lauren Tremblay, and the CIBR Lab on Twitter: @Dr_Cybercrime, @DarknetLaur, and @CIBRLab.

The post An assessment of ransomware distribution on darknet markets appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

More and more, people are completing the entire real estate transaction process online. From searching for properties to signing documents, online convenience can make the process easier and more efficient. However, with all of this activity taking place on the internet, it is important to be aware of the potential security risks that come along with it. Here are the eight common cybersecurity issues that can arise during the purchase of real estate online and how you can protect yourself against them.

1. Cybercrime

This is, unfortunately, the world we live in – and it makes sense, given the large sums of money involved. Cybercriminals may attempt to hack into the system and gain access to private information. They may even try to interfere with the transaction process itself, delaying or preventing it from taking place at all.

To combat this threat, make sure you are using a secure online platform when completing the transaction and be sure to only provide personal information when necessary.

When you are completing a real estate transaction online, a lot of your personal information will be requested. This can include anything from your address and phone number to your bank account information. If this information is not properly secured, it could be at risk of being accessed by cybercriminals.

To keep yourself safe, it is important to know what to look out for. You should watch for the commonly attempted ways that remote real estate buyers might be targeted and understand what you should do in the event of a breach.

2. Data breaches

Buying real estate remotely involves a number of different tools, like online payment gateways and other web services. All of these tools can be vulnerable to data breaches, which means that hackers could gain access to your personal information stored on their servers. To protect yourself, research a service’s security standards before providing any sensitive information or look for an alternative if the security measures are inadequate.

Always make sure you are observing best practices during and after an online purchase, which include doing things like updating your passwords as appropriate and monitoring your credit cards for any suspicious activity. By following these tips, you can help ensure that your online real estate transaction is secure.

3.  Phishing scams

These are attempts to obtain your personal information by pretending to be a legitimate source and they are on the rise. Be sure to only provide your information on secure websites and look for signs of legitimacy, such as “https” in the web address or a padlock icon in the URL bar.

Phishing scams that target real estate buyers might include emails, text messages, and voicemails asking you to provide your credit card details or other personal information to make a purchase. Make sure to always look for signs of legitimacy before providing any sensitive information.

They might also include bogus emails from lawyers or other professionals with malicious links or attachments. Be sure to only open emails from verified sources and never click on suspicious links.

4. Malware threats

Malicious software can be used to steal your personal information, such as banking credentials and passwords, or to install ransomware that locks you out from accessing your own files. To protect yourself from malware, make sure to install trusted antivirus and anti-malware software on your computer. Additionally, make sure to always keep your operating system up to date with the latest security patches.

5. Identity theft

Identity theft is a growing problem online and can be especially dangerous for real estate buyers. Hackers may use stolen information to gain access to your bank accounts or other financial resources, making it important to protect all your personal information from potential thieves. Make sure to use secure passwords, avoid public Wi-Fi networks, and never provide sensitive information over email.

This is especially pressing in an age where people are so much more mobile and global than they ever have been. Real estate transactions can be conducted from airports, coffee shops and all manner of unsecured wireless networks, which demands extra vigilance when it comes to cybersecurity.

6. Website hacking

Hackers can also gain access to websites and steal information stored on them, including user data. To protect yourself from website hacking, make sure that the websites you use have strong security protocols in place. Additionally, look for signs of legitimacy such as a padlock icon in the URL bar and verify any third-party links or attachments before clicking on them.

If you are dealing with a real estate agent that uses a website, make sure it is secure and they have taken proper precautions to protect your data.

7. Social engineering attacks

Social engineering attacks are when hackers use psychological tactics to get you to reveal confidential information or take some sort of action. For example, they may send fraudulent emails that appear to come from a real estate agent asking for your personal details or credit card numbers. Make sure to always verify the source of any emails before taking any action.

The best way to identify a social engineering attack is to look for suspicious language, attachments, or links in the email. If anything looks out of the ordinary, it's best to delete the message and report it to your security provider.

You can always take extra steps to protect yourself, like using two-factor authentication when logging into accounts or working with a cybersecurity professional. By staying vigilant and taking proactive measures, you can help ensure that your online real estate transactions are secure.

8. Having weak passwords

Another common cybersecurity issue is having weak passwords. Make sure to use strong passwords when creating any accounts associated with your real estate purchase. You should also change your passwords on a regular basis and never reuse old passwords or share them with anyone else.

Using a password manager can also help you keep track of all your different passwords and store them in a secure place. If you're dealing with an agent, ask them to use strong passwords as well, and make sure that they keep all of your personal information safe.

Conclusion

Real estate transactions are increasingly taking place online, which can create potential security risks if proper precautions aren't taken. By following best practices and being aware of the common cybersecurity issues associated with purchasing real estate online, you can help ensure that your transaction is secure. With a bit of extra effort and knowledge, you can rest assured knowing that your online property purchases are safe and secure.

The post 8 Common Cybersecurity issues when purchasing real estate online: and how to handle them appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

“Why are you here if you cannot decrypt our data?” This is how people sometimes react to the arrival of the external incident response team. In this article, I will try to answer this question, but at the same time, I am going to describe the stages of incident response, list the main mistakes that play into the hands of hackers, and give basic advice on how to respond.

Let's start by defining what a security incident is. Although the concept is straightforward, various companies may interpret it differently. For instance, some companies may consider incidents to include situations such as a power supply failure or a hard drive malfunction, while others may only classify malicious actions as incidents.

In theory, an incident is a moment when some kind of undesirable event occurs. In practice, the definition of an “undesirable event” is determined by each company's own interpretation and perspective.

For one organization, the discovery of a phishing email is what requires investigation. Other companies may not see the point in worrying about such incidents. For instance, they may not be concerned about a phishing email being opened on an employee device in a remote location not connected to the main infrastructure since it poses no immediate threat.

There are also interesting cases here. For example, online traders consider a drop in the speed of interaction with the online exchange by 1% to be a serious incident. In many industries, proper incident response steps and cybersecurity in general, cannot be overestimated. But if we are talking about serious incidents, then most often, these are events related to the penetration of an attacker into the corporate network. This annoys the vast majority of business leaders.

Incident response stages

While the interpretation of certain events as security incidents may vary depending on various factors such as context and threat model, the response steps are often the same. These response steps are primarily based on the old SANS standard, which is widely used by many security professionals.

SANS identifies six stages of incident response:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons learned

It is important to note that the external response team is not immediately involved in this process.

Preparation

Preparation involves properly aligning organizational and technical processes. These are universal measures that should be implemented effectively across all areas:

  • Inventory networks
  • Build subnets correctly
  • Use correct security controls and tools
  • Hire the right people

All this is not directly related to the external response team and, at the same time, affects its work significantly. The response is based on preparatory steps. For example, it relies heavily on the log retention policy.

Each attack has its own dwell time – the time from an attacker entering the network until their activity is detected. If the attack has an extended dwell time (three-four months) and the logs are kept for seven days, it will be much more difficult for the investigation team to find the “entry point.” The required data will no longer be available. If such a situation arises, the response team can take action, but the likelihood of achieving a 100% successful outcome is significantly reduced.

Identification

This stage is entirely based on how well the preparation was done in the first stage. If everything is done correctly, there is a good chance that you will discover something in advance that can potentially lead to an unacceptable event.

Even primitive and basic steps can greatly increase the likelihood of early detection of a cyber threat. By building your own Security Operations Center (SOC) or engaging a capable third-party provider and implementing effective monitoring practices, you can greatly improve your chances of detecting potential security incidents. Careful preparation allows you to detect an attack in its early stages before the attacker has done any harm.

Ideally, the response process should be initiated at this stage. Alas, in practice, there are many cases when the sad consequences of an attack are the only thing due to which the incident is detected. Everything goes along the logical chain: preparation is terrible, detection and analysis fail, and an incident occurs. And the investigation, in this case, turns out to be a non-trivial task.

Containment

This stage is performed in close cooperation between the external response team and the customer. IT personnel often simply reboot computers before the external incident response team arrives. Yes, this is also a containment method, although not the most elegant.

The problem is that this deprives the response team of a lot of important data. And what is more important, it does not always work. Today hackers rarely use just one technique to achieve persistence. They usually employ Remote Desktop Protocol (RDP) for lateral movement, and stopping them is not always easy. Therefore, joint analytics are vital to understand which connection is legitimate and which is not. When the external response team and their customers work together closely, it becomes simpler to understand the situation and develop effective tactics to contain specific threats.

Eradication

At this stage, it is generally expected that the incident response team has already provided the customer with an incident analysis, including malware analysis, indicators of compromise, etc. A thorough process of scanning the network is in progress, followed by the removal of all detected anomalies.

Recovery

At this stage, a consistent and accurate restoration of the customer's IT systems is carried out. It implies not just recovering from backups but also the reactivation and testing of information security tools.

Usually, restoring protections is a fairly simple task. The fact is that attackers, as a rule, act just by bypassing protection mechanisms. They get administrative privileges and, if possible, “turn off” security solutions. Yes, hackers can use malware that interferes with Windows logging or disrupt Critical Event Management, but such cases are relatively rare.

Although not a common occurrence, some attackers may leave bookmarks to enable repeated attacks. It is vital to remain vigilant and check for such bookmarks, even in the case of a seemingly straightforward attack.

Lessons learned

It may seem that the incident response team's main task is to restore everything to its previous state, but this is a simplification. The response team is invited for a different purpose. Its tasks are to understand:

  • The attack vector used by the hackers.
  • The specific entry point used to gain unauthorized access to the IT systems.
  • A detailed timeline of how the attack progressed.
  • Identification of potential prevention measures that could have been implemented at different stages.
  • Recommendations for addressing the root cause of the incident to prevent future attacks.

The answers help give better recommendations. For example:

  • If the attack started with phishing, it is advised to set up an email sandbox, adjust spam filters, and train employees.
  • If a vulnerability is to blame, changing the updatepatch and network monitoring procedures is recommended.

Why is the final stage so important? First, most attacks are not very inventive. Actually, they are formulaic. Therefore, you can draw conclusions from one attack and prevent a dozen similar ones.

Second, the hackers usually come back. Here is a real-life example. The IR team identified an entry point, studied that PC, and found that some files were encrypted a year before the incident. It turned out that the customers were aware but did not pay attention to the incident since the first time, it caused almost no damage. As a result, a second attack occurred through the same entry point. This time, hackers spent a little more of their time and encrypted everything and destroyed the entire domain.

Third, without adequate response procedures, it is impossible to enhance security awareness training and incident detection, which serve as the bedrock of a company's security system.

How to improve security

Basic knowledge is important

The basic things you probably already know about are already cool and very useful. Every year, thousands of companies fall victim to attacks due to the most banal reasons. The most common cases are the exploitation of unpatched vulnerabilities. The second common thing is phishing.

So, a significant number of potential security issues can be mitigated by prioritizing effective patch management, maintaining an accurate inventory of infrastructure, and providing staff with training in digital hygiene.

There are a lot of organizations that have already done all the basic things. However, it does not guarantee the complete absence of incidents. They can be recommended to run penetration tests. However, you need to “grow up” to this kind of thing. It makes no sense to conduct penetration testing when only 20% of the infrastructure is covered with Intrusion Detection and Response (IDRIDS) solutions.

Follow trends and industry reports

Numerous security reports and news can tell you what tools and attacks hackers use. This way, you can establish relevant security criteria for your company. The reports often provide specific recommendations on how to protect from a particular attack. One of the best sources for such information is MITRE ATT&CK Matrix.

Do not panic, and do not do rash things

A typical mistake is to reboot all the computers involved in the attack. Yes, there are urgent situations when this is crucial, but, if possible, please make copies of infected machines. This will enable you to preserve evidence for any subsequent investigation.

In general, do not act impulsively. Quite often, upon discovering encrypted files, employees immediately disconnect the power supply. This approach is akin to gambling. Nothing can be guaranteed after that. Yes, the encryption stops, and you can probably save several untouched files. On the other hand, such an abrupt stop corrupts the disc and data affected by the encryption process. Even if the security community comes up with a decryptor or you pay a ransom (which is not recommended), restoring data whose encryption has been interrupted may not be possible.

Contacting the experts

Is it possible to cope with an attack on our own? Yes, if you have well-established procedures. Mitigation efforts can be prioritized. It is not very difficult to protect mobile devices, implement multi-factor authentication, or set efficient patch management procedures. From a financial standpoint, relying on backups and minimizing recovery time can be an acceptable strategy. However, when it is essential to stop the attack promptly, determine the exact nature of the incident, understand who is to blame, and chart an effective course of action – there are no alternatives – call the external response team.

The post Insights from an external incident response team: Strategies to reduce the impact of cybersecurity attacks appeared first on Cybersecurity Insiders.

Firewall optimization (also known as firewall analysis) is the process of analyzing and adjusting the configuration and policy set of a firewall to improve performance and security. This process involves reviewing and corelating log data and device configurations, identifying potential vulnerabilities and weaknesses, and providing recommendations for remediation. Performing these processes is complex, which is why tools like firewall analyzers are useful. They offer automation, visualization, and alerting to provide recommendations that can be used to reduce the risk of attack.

What is the business impact of firewall optimization?

Firewall optimization is important because it can help organizations improve their overall security, performance, and compliance, while also reducing costs and improving decision-making. This can ultimately contribute to better overall business performance. Firewall optimization can have a positive impact on a business's overall network security and performance.

Some of the key benefits include:

  • Improved security: Analyze configurations and log data to identify potential vulnerabilities and threats in the network and provide recommendations for remediation. This can help to reduce the risk of successful cyber-attacks and data breaches.
  • Better performance: Improve overall network performance by identifying and addressing bottlenecks and inefficiencies in the firewall configuration. This can result in faster network speeds, more reliable connectivity, and better overall performance.
  • Compliance: Comply with relevant regulations and standards, such as PCI DSS and HIPAA, by providing regular compliance reports and identifying potential compliance issues.
  • Cost savings: By identifying and addressing inefficiencies and bottlenecks in the firewall configuration, firewall optimization can also help reduce costs associated with network maintenance and troubleshooting.
  • Improved decision-making: Have a better understanding of the network security posture and the capabilities of the firewall. This allows organizations to make more informed decisions about their security strategy, and to better allocate resources for security initiatives.

How is firewall optimization different from firewall management?

Firewall optimization uses software tools like a firewall analyzer to find weaknesses and vulnerabilities in network attached devices. The inspection includes analyzing configurations and log data from security devices, such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).

The primary features of a firewall optimization include:

  • Log analysis: Review log data to understand utilization trends over time and recommend ways to enhance the performance of the firewall without compromising security.
  • Configuration analysis and compliance reporting: Review running configurations of firewall devices regularly and include features for generating reports that show compliance with relevant regulations and standards, such as PCI DSS and HIPAA.
  • Security analytics: Analytics capabilities allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
  • Alerting: Alerting features that notify users when potential threats or vulnerabilities are detected.
  • Integration with other tools: Some firewall analyzers can be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.
  • Multi-vendor support: Firewall analyzers can support multiple firewall platforms. This can be useful when migrating from one firewall platform to another, to help clean the ruleset of any vulnerabilities and test configurations prior to deployment.

A firewall management platform, on the other hand, is a comprehensive tool that helps organizations to manage, configure, and monitor their firewalls. It includes features like firewall policy management, threat detection and management, asset discovery, and security analytics. The primary features of a firewall management platform include:

  • Policy management: Allows users to create and manage firewall policies, which define the rules for allowing or blocking network traffic.
  • Asset discovery: Discover and inventory assets on a network, including servers, workstations, and other network attached devices.
  • Security analytics: Analytics capabilities that allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
  • Monitoring: Monitor network traffic and alerting users when potential threats or vulnerabilities are detected.
  • Integration with other tools: In addition to firewall analyzers, some firewall management platforms can be integrated with other security tools, such as a Security Incident and Event Manager (SIEM) to provide a more comprehensive view of an organization's security posture.

One of the main differences between firewall optimization and the firewall management platform is the scope of their capabilities. Firewall optimization is focused on the performance and configuration of the firewall, by analyzing the running configuration and log data from firewalls, even in environments with multiple vendor firewalls.

Another difference is the level of control on a device that the tools provide. A firewall analyzer provides insights, recommendations, application traffic flows, and may even have device configuration and management capabilities. A firewall management platform, on the other hand, provides granular control over firewalls, including the ability to create and manage firewall policies and to monitor network traffic.

How does firewall optimization work?

Firewall optimization uses a firewall analyzer tool to provide visibility into the security posture of a network by identifying potential threats and vulnerabilities, and by providing recommendations for remediation.

The process of firewall analysis typically involves the following steps:

  • Data collection: The firewall analyzer collects log data and device configurations from the security devices on the network. This data may include information on network traffic, firewall rules, and security events.
  • Data analysis: The firewall analyzer then analyzes the collected data to identify potential vulnerabilities and threats in the network. This may include identifying open ports, misconfigured firewall rules, or unusual network traffic patterns.
  • Reporting and visualization: The firewall analyzer generates reports and visualizations that provide a detailed overview of the network's security posture. These reports may include information on compliance with relevant regulations and standards, as well as recommendations for remediation.
  • Alerting: The firewall analyzer may also include alerting features that notify security teams when potential threats or vulnerabilities are detected.

Some firewall analyzers can also be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.

Firewall optimization best practices

It is not uncommon for organizations to question if both a firewall analyzer and firewall management platform are necessary for improved network security. Firewall analyzers provide a strategic and operational view of the network security environment across multiple vendors. This contrasts with the firewall management platform’s operational and tactical capabilities which are vendor specific.

In addition, firewall analyzers can provide value for non-operational roles in an organization, such as auditors. Auditors can collect the information they need without having to access the firewall management platform directly or involve the operations teams who administer the platform.

Conclusion

Overall, firewall optimization using firewall analyzer tools and firewall management platforms are important for the network’s health and security. While they serve different purposes, they also complement each other with their unique capabilities. Organizations that need visibility into the performance of the network along with recommendations for improving the firewall security should consider a firewall optimization strategy that incorporates both capabilities.

AT&T Cybersecurity Consulting has more than 20 years of experience increasing network security and performance using its firewall optimization programs. Learn more about the benefits and best practices of implementing a firewall optimization strategy that incorporates both firewall analyzer tools and firewall management platforms. Contact us today to get started.

The post What is firewall optimization? appeared first on Cybersecurity Insiders.

Some of the biggest prevailing challenges in the cybersecurity world over the last year have been those revolving around securing the software supply chain across the enterprise. The software that enterprises build for internal use and external consumption by their customers is increasingly made up of third-party components and code that can put applications at risk if they aren't properly secured.

It's a problem that cuts across every industry, but manufacturers are feeling it especially acutely because they're tasked with securing not only the software supply chain but the physical supply chain as well. It's a very layered risk issue for manufacturers for two big reasons.

First of all, the things that manufacturers produce today are increasingly connected and more software dependent than ever before. They depend on a host of specialized silicon and digital components that are invariably produced by third-party manufactures themselves, creating a nested chain of third-, fourth-, and Nth-party dependencies that are difficult to track, let alone manage risk against.

Secondly, the factory floor itself is a part of the supply chain that is becoming more intricately converged with the IT network and which is highly dependent on third-party equipment, software, and remote connections.

Given these factors, it becomes clear that managing cybersecurity risk across the supply chain will require manufacturers to carefully attend to the risk brought to the table by their third-party suppliers and contractors. And on the flip side, many manufacturers who provide components to clients who are also manufacturers must stay vigilant as security standards rise for what it takes to get their products in the door elsewhere.

“As I've been doing in-depth interviews for our AT&T Cybersecurity Insights Report and also doing customer calls, one of the things I've observed about manufacturers in the supply chain is that even when they're smaller—say, 50- to 100-person shops—they're still saying, 'Security is critical to us,'” says Theresa Lanowitz, security evangelist for AT&T. “They know they need to be doing everything they can to abide by their customers' security guidelines, external rules and regulations, and mitigating the risk required to keep the entire supply chain secure.”

It's an issue that cybersecurity experts at AT&T like Lanowitz and those at Palo Alto Networks have increasingly been collaborating on to help manufacturing customers address across their organizations. The following are some tips they recommend for manufacturers managing third-party cyber risk in the supply chain.

Risk scores and signals matter

Because digital components and hardware are so woven into the products that supply chain providers deliver to their manufacturing clients, risk scores and signals matter more than ever. According to Dharminder Debisarun, worldwide industry security architect for manufacturing, Internet of Things and transport at Palo Alto Networks, it's up to companies determine what their risk appetite is for their providers—depending especially on what they're delivering to the supply chain—and start finding ways to get transparency into that.

“Ask yourself, 'What's our risk appetite for suppliers that we work with?'” he says. “You want to know that before you engage with them. Then there needs to be some kind of framework or certification that says 'Hey, this company is secure enough to do business with’.”

He says some governments have provided that kind of grounding—for example in Germany the automotive industry relies on the TISAX certification to prove out baseline security proficiency. Barring that, the growing world of third-party risk management monitoring is another place to start getting transparency. Ultimately, the goal is to do third-party screening of every bit of coding or connectivity delivered by suppliers into a manufacturer's supply chain or production streams.

Supplier contracts need to account for cyber risk

Even more important, says Debisarun is that manufacturers ensure that their cyber security standards are enforced contractually.

“You can only work this out contractually. You need to have cybersecurity and cyber risk requirements embedded into all the supplier contracts you put in place,” he says. “It's something manufacturers should really consider doing.”

Some of the things that should be enforced include disclosure of big security incidents or material software vulnerabilities, how remote access is established and maintained between supplier and manufacturer, how and when security audits or certifications are provided, and so on.

Managing third-party risk on the factory floor

Meantime, because the actual manufacturing capability of organizations is so intertwined with third parties, managing factory floor vendors securely is crucial. Debisarun explains that the assembly line floor today is almost never managed by the manufacturer itself.

“It's going to be an assembly line floor run by Siemens or Rockwell or ABB. And when these assembly lines are delivered by these giants of the manufacturer ecosystem, they will never allow the customer to do maintenance on that assembly line,” he says, explaining that big vendors contractually require that they handle the maintenance on this equipment.

In most cases, this requires remote access—especially now in this post-COVID world.

“At which point the manufacturer is flying blind,” he says.

This highlights the importance of setting up mitigating controls like secure remote access and Secure Access Service Edge (SASE) architecture that creates a pathway for the manufacturer to at least control the traffic in their network. At the core of SASE is Zero Trust Network Access (ZTNA 2.0) which combines fine-grained, least-privileged access with continuous trust verification and deep, ongoing security inspection to protect all users, devices, apps, and data everywhere – all from a simple unified product. This is an integral and oft-forgotten part of managing third-party risk in the manufacturing world.

Architect and collaborate – with resilience top-of-mind

Finally, organizations should be architecting their supply chain and coordinating their vendor management to keep cyber resilience top-of-mind. According to Lanowitz, the key is remembering the concept of eliminating 'single points of failure.'

“If you are a major car manufacturer, for example, and you're using tiny suppliers to help you build out your cars, you want to make sure that if they go out of business, if there's a fire in their plant, or their operations are interrupted by ransomware, you're not going to need to stop your assembly line waiting for them,” she says.

Debisarun agrees, explaining that every manufacturer should have a plan B and C for when cybersecurity events at suppliers create downstream impact.

“If one supplier breached, how long should you wait to it's resolved?” And that basically comes back to the contracts you are signing—the plan needs to be built into that so you aren't dependent on one supplier's readiness to handle a cyber event or a physical event,” he says.

The post Third party Cybersecurity risks in securing the supply chain appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

As we move towards more automation, we should remember the risk of over-automating, or at least make a conscious decision to accept the risks. This is especially important in automating response actions, which left unchecked could wreak havoc with day-to-day business operations.

Investigation

The alarm

One evening after normal business hours, an alarm came in indicating a software package attempting to execute on a server was auto-mitigated by SentinelOne. The software package was behaving in a way that was taken as attempting to evade detection by the SentinelOne agent and therefore rated as “Malicious” by the SentinelOne Artificial Intelligence logic. Since the server on which the software package was attempting to execute had a “Protect” policy applied, the auto-mitigation steps for a dynamically detected “Malicious” rating included killing and quarantining the process.

A “policy” setting in SentinelOne is the defined level of automated response activity the endpoint detection and response tool (EDR) has permission to perform for each grouping of assets. Whereas a “Detect” policy will create an alert that can be managed for post-investigation response actions, a policy setting of “Protect” will take automated response actions. The intrusion level of those automated response actions can be customized, but they all perform an automated action without a person looking at the situation first.

The below image is for an alarm for malware which ended up being process automation software

Sentinel 1 alarm

but nonetheless was automitigated (process killed) by SentinelOne as shown in the log excerpt below.

automatic mitigation

The business impact

The next morning, with business hours back in full swing, the customer reached out to us concerned about the result of the automated response action. The customer stated that the software package is a critical part of their business infrastructure and should never be stopped from executing. The software had been running on that same server the prior several months, since entering SOC monitoring.

The customer questioned why after several months with the SentinelOne agent running on the server did the agent suddenly believe the software package was malicious. We were not able the answer the question specifically since the decision-making behind identifying and rating a process as “Malicious” versus “Suspicious” or benign is a proprietary logic.

What we could state is that any EDR solution worth its price will continually update indicator of compromise (IOC) signatures. Any worthwhile EDR solution will also include not only static detection but also behavior-based dynamic detection. In the case of SentinelOne, there is the pre-execution behavior analysis that allows for process termination pre-execution as well. And of course, any software package run on a server is subject to updates for security, efficiency, or product feature upgrades.

Taken as a whole, it means any endpoint being protected is a very dynamic battleground with the potential for an updated software package that did not trigger IOC rules yesterday triggering tehm today. Or a non-updated software package may suddenly be identified as potently malicious due to updated machine learning IOC behavior analysis. Remember when JNDI calls were considered benign?

Lessons learned

Just as we learn the CIA security triad is a balancing act between confidentiality, integrity and availability, there is a balance to be struck between the use of immediate automated response actions and the slower reasoning of human evaluation prior to response actions. An EDR solution will immediately and infallibly carry out the policy which it has been programmed to implement, but in a ruthless fashion. A human evaluation will take longer, but it can consider prior history, the validity of the triggering IOCs in context, and the nuances of how selecting one response action over another might impact your overall business.

Automation, machine learning, artificial intelligence, and the like have their place. Their benefits will no doubt increase as technology develops. But the human component will always be necessary. The MXDR SOC and our customers (being the humans that we are) must work together to define the critical assets and business processes that should never be touched by automated intrusion. We must also work together to find the space in your environment where those swift and ruthless automated response actions are an advantage. And it is a very human decision to conclude how much risk we can tolerate in each implementation.

The post Stories from the SOC  – The case for human response actions appeared first on Cybersecurity Insiders.